Flagstar Bank paid a $1 million bitcoin ransom in late 2021 to access and delete a swath of sensitive customer data hackers
A professional ransomware negotiator helped Flagstar leaders make the payment to the perpetrators on Dec. 31, 2021, according to a deposition of the firm’s chief information officer taken in January. That data breach,
The decision to pay was made by
“It certainly does not help to incent threat actors by paying them money to stop, I guess, harassing you,” said Charters in the deposition. “On the other hand, depending on the situation that anyone is in … I guess I’ll say they want to protect information and it could be worth the cost to protect that data and information.”
Federal law enforcement recommends companies don’t pay ransoms because, in addition to incentivizing criminals, such payments don’t guarantee data recovery. While other mortgage firms have
Neither Flagstar nor attorneys for either party responded to requests for comment Monday.
The December 2021 incident came 11 months after 1.4 million Flagstar clients had their personally identifiable information
Filings in the Angus v. Flagstar case, the one in which Charters was deposed, say anonymous criminals infiltrated Flagstar’s network on November 22, 2021, using stolen log-in credentials from a contractor. Within the following three weeks, hackers began to exfiltrate customer PII and deployed ransomware on Dec. 13.
The criminals sent a ransom note via fax, and a separate email to DiNello, according to Charters’ deposition. Once Flagstar negotiated the ransom payment, the response team including the third-party negotiator reached a server provided by the hackers via remote desktop access to delete the stolen Flagstar data.
Plaintiffs, in countering Flagstar’s motion to dismiss the complaint, wrote in a March 6 motion that it’s unclear whether the exfiltrated PII was definitively deleted.
“Flagstar has offered no competent evidence establishing what data was stolen and when, who stole it, and what those actors might have done with it during, and for months following, the breach,” wrote attorneys for plaintiffs.
Affected customers also take aim at Flagstar’s post-breach monitoring of the dark web for evidence their personal information was shared. Risk advisory firm Kroll, which isn’t a named defendant, didn’t begin monitoring the dark web until October 2022, 10 months after the breach occurred, according to Charters’ deposition.
A separate expert also conducted a search on the dark web for a plaintiff’s data on behalf of Flagstar, for two weeks in late 2022, and plaintiff attorneys paint his analysis as limited in scope. The identity of the culprit is also not disclosed in plaintiffs’ motions, nor made clear in either public deposition excerpt.
Plaintiffs are seeking class certification, unspecified damages over $5 million and to enforce numerous cybersecurity measures at the bank. No hearing nor deadline is scheduled for the case.
In 2022, Flagstar came under the ownership of New York Community Bancorp, the publicly traded business facing prolonged turmoil